You can use the ActionTrail console to query AccessKey usage records, including the Alibaba Cloud services accessed, associated IP addresses, and resources, helping you monitor account security and detect potential threats.
Prerequisites
Obtain the AccessKey ID you want to query. For more information, see Obtain an AccessKey.
ActionTrail retains events from the past 90 days by default. To access older records, create a trail to deliver events to SLS or OSS. For more information, see Create a single-account trail.
Procedure
-
Log on to the ActionTrail console.
-
In the navigation pane on the left, choose .
-
On the AccessKey Event Query page, enter the AccessKey ID and click the
icon. -
In the Basic Information section, view details such as AccessKey ID, Account ID (Alibaba Cloud account ID), Username, RAM User ID, Last Accessed At, and Service Last Accessed.
-
In the Alibaba Cloud Service section, view the list of Alibaba Cloud services accessed by this AccessKey, along with the Event List, IP Address List, and Resource List.
-
Alibaba Cloud service list
In the Alibaba Cloud Service section, view the Cloud Service and Last Accessed At.
-
Event list
Click Event List in the Actions column for a specific Alibaba Cloud service to view details such as Event Name, Last Called At, Region, and event details.
Note-
AccessKey Audit provides management event queries by default. After you create a data event trail, data events generated after trail creation appear in the event list.
-
For more information about fields in events, see Management event structure definition.
-
-
IP list
Click IP Address List in the Actions column for a specific Alibaba Cloud service to query the IP, Last Accessed At, Region, and IP address details.
-
Resource list
Click Resource List in the Actions column for a specific Alibaba Cloud service to query the Resource Type, Resource Name, Last Accessed At, Region, and resource details.
For a list of resource types supported by AccessKey Audit, see Resource types.
-
AK leak investigation and response
If an AccessKey is leaked, use AccessKey Audit to investigate abnormal operations during the leak period and mitigate damage.
Critical high-risk event types
In the event list, focus on these high-risk operation events:
|
Event name |
Risk description |
|
|
An attacker creates ECS instances for cryptomining or proxy setup. |
|
|
An attacker opens vulnerable ports (such as 22 or 3389), exposing internal resources. |
|
|
An attacker creates a new AccessKey for an existing RAM user to maintain access. |
|
|
An attacker escalates privileges by granting high-risk permissions such as AdministratorAccess to themselves or newly created users. |
|
|
An attacker creates a backdoor RAM user to establish persistent access. |
Response steps after detecting abnormal operations
-
Disable and delete the leaked AccessKey. Disable the AccessKey in the RAM console. After confirming that your business is unaffected, delete it. Also rotate to a new AccessKey for the affected user.
-
Check for unauthorized AccessKeys or RAM users. Search the event list for CreateAccessKey and CreateUser events. Delete all unauthorized AccessKeys and RAM users.
-
Roll back abnormal resources. Identify and release resources created by the attacker, such as ECS instances and OSS buckets. Revoke unauthorized security group rules and access policy changes.
-
Investigate suspicious IP addresses. In the IP list, identify non-internal IP addresses to locate the attack source and assess impact scope.
Related operations
-
You can also view AccessKey details in Resource Access Management (RAM). For more information, see View AccessKey information for a RAM user.
-
You can also call API operations to query AccessKey event records. For more information, see AccessKey audit.
-
You can also use event query to retrieve detailed AccessKey invocation records. For more information, see How do I query the Alibaba Cloud services and invocation records for an AccessKey?.